We manage Exchange and BES for another company that has their AD structure broken down by OU so that each OU has its own administrator that has full rights over all the users under their respective OUs. We want to delegate rights to those administrators to add/remove users and reset enterprise activation passwords so they don't have to keep asking us for every BES change they wish to perform.

The customer's requirement is that the administrators only have BES admin access to their specific OU and not to any other OUs. Currently I don't see a way to do this on BES 4.1 SP5. In other words, even if we add someone to the Jr or Sr helpdesk roles, they will have access to reset BES passwords and add/remove users from other OUs as well as their own.

Is there a way we can make this happen? Or, if this isn't possible, is there a way we can log BES user additions/removals and password resets by administrators?

We manage Exchange and BES for another company that has their AD structure broken down by OU so that each OU has its own administrator that has full rights over all the users under their respective OUs. We want to delegate rights to those administrators to add/remove users and reset enterprise activation passwords so they don't have to keep asking us for every BES change they wish to perform.

The customer's requirement is that the administrators only have BES admin access to their specific OU and not to any other OUs. Currently I don't see a way to do this on BES 4.1 SP5. In other words, even if we add someone to the Jr or Sr helpdesk roles, they will have access to reset BES passwords and add/remove users from other OUs as well as their own.

Is there a way we can make this happen? Or, if this isn't possible, is there a way we can log BES user additions/removals and password resets by administrators?

Welcome!

What you're looking to do can't be done with roles or through the BlackBerry Manager.

Your best bet would be to build a web app or some other app using the BlackBerry Resource Kit User Administration Service / Client, and taking the security model out of the realm of BES and putting the onus on AD Groups / Permissions.